Vulnerability Management
This section is under active development
Contents
Objective
The objective of Vulnerability Management can be described as identifying, prioritizing and mitigating weaknesses in assets which can be exploited. This service is currently listed at #3 in the CIS Top 20 Controls (CIS, 2018), discussed in the NIST Framework (NIST, 2013) and is listed in ISO 27002 A.12.6.1 as discussed by several sources[1][2].
A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005) Gartner defines Vulnerability Management as "Vulnerability management is a process that can be implemented to make IT environments more secure and to improve an organization's regulatory compliance posture."
Process
Tripwire states "The vulnerability management process is a continuous information security risk undertaking that requires management oversight. There are four high-level processes that encompass vulnerability management: discovery, reporting, prioritization and response."(Bisson, 2018)
Gartner defines the processes as follows: Policy, baseline, prioritize, shield (read:Compensating Controls), mitigate and maintain(Gartner, 2005)
Unless there are policies in place, compliance within the organization lacks accountability and we will document that under the Documentation section. NIST SP 800-40 Ver 2 Defines "Patch management is the process for identifying, acquiring, installing, and verifying patches for products." and this author makes the argument that this is a process in Vulnerability Management. It could also be performed independently, as applying patches does not necessarily require Vulnerability to operate. Vulnerability Management however is a part of three respected standards (CIS Top 20 Controls, NIST and ISO 27k) and therefore is advisable to be performed.
The prioritization phase is necessary given that organizations will likely lack the resources to deal with every vulnerability.
- Identify - Through threat intelligence, vulnerability scans or other input mechanisms, identify vulnerabilities and their existence in the enterprise.
- Prioritize - Prioritization should follow a methodology. That methodology can be based on Severity and Impact[3]. When considering Severity and Impact, it is advisable to assess it from a business criticality, data governance, reputational risk and legal risk standpoint for starters.
- Mitigate - After prioritization has occurred, the mitigation process takes over.
- Reporting - This takes the form of both reporting on completion of the task and metrics on the overall program
Tooling
Not an all inclusive list:
- Alerting system for critical vulnerabilities being reported on the internet (e.g. Shellshock). This drives action if the enterprise is affected.
- Vulnerability Management System - This is more than just a scanner. The vulnerabilities need to be collected, assessed and prioritized.
- Ticketing system for the enterprise - Vulnerabilities which must be remediated should have tickets associated with them and assigned to the appropriate team.
Ticketing
Reporting
Staffing
Budgeting
Communications
Documentation
Lessons Learned | Pain Points
Citations
Bisson. 2018. "What is Vulnerability Management Anyway?". Retrieved from https://www.tripwire.com/state-of-security/vulnerability-management/what-is-vulnerability-management-anyway/
Center for Internet Security. 2018. CIS Controls™. Retrieved from https://www.cisecurity.org/controls/
ISO/IEC. 2015. Information technology -- Security techniques – Code of practice for information security management. ISO/IEC 27002
NIST - Souppaya and Scarfone. 2013. Guide to Enterprise Patch Management Technologies. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf
Tom Palmaers. 2013. Implementing a vulnerability management process. Retrieved from https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-management-process-34180
Qualys. 2018. Vulnerability management for dummies. Chichester: John Wiley & Sons, 2008. eBook.